search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

unconfined_u:unconfined_r:unconfined_t is unable to configure safesetid #2071

Open shammancer opened 3 months ago

shammancer commented 3 months ago

Hello,

I'm playing around with custom kernel and trying out safesetid and I'm unable to configure safesetid LSM when SELinux is in enforcing mode.

Fedora Release

$ cat /etc/redhat-release

Fedora release 39 (Thirty Nine)

Policy packages:

$ dnf list --installed | grep selinux-policy

selinux-policy.noarch 39.5-1.fc39 @updates selinux-policy-targeted.noarch 39.5-1.fc39 @updates

Reproducer command:

sudo bash -c "echo \"1001:1002\" > /sys/kernel/security/safesetid/uid_allowlist_policy"

Audit Message:

Mar 22 12:28:30 lfd441-fedora39-uefi audit[1201]: AVC avc: denied { mac_admin } for pid=1201 comm="bash" capability=33 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0